I came across an interesting article on Reuters today:
U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes.
The Securities and Exchange Commission issued guidelines on Thursday that laid out the kind of information companies should disclose, such as cyber events that could lead to financial losses.
There is a growing sense of urgency about cyber security following breaches at Google Inc, Lockheed Martin Corp, the Pentagon’s No. 1 supplier, Citigroup, the International Monetary Fund and others.
The SEC gets into specifics, telling companies what type of data they might need to provide investors.
"Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue," it says.
(The document can be accessed on the SEC’s website: www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm )
A report out earlier this month found that U.S. banks are losing ground in the battle to combat credit and debit card fraud because they balk at the expense of higher security. Globally, however, security is improving in the payment industry, according to data from The Nilson Report, a California trade publication.
This is a pretty big step for the SEC. Requiring companies to disclose when they have been hacked shifts the action on corporations from something voluntary to something that they have to do. The question is do we want to hear about everything? And who even has the expertise to figure out what’s been stolen and what the financial damage is?
I’ve read a lot of articles on cyber hacks earlier this year and many of the authors say that there are two types of companies: those that have been hacked, and those who don’t they have been hacked. In the case of the SEC, they may as well start advising investors that if you’re investing in a big company (certainly amongst the Fortune 500), you may as well assume that they are a victim of a cyber attack whether they have disclosed it or not. Investors ought to include that into their discount cash flow analysis.
But I wonder if the reverse is true? If knowing that companies are the victims of a cyber attack causes a company to be evaluated differently because of the risk, then does knowing whether another company is the beneficiary of that stolen data decrease the risk?
For example, if China is well known for stealing sensitive data from western corporations and giving it to their own competitive industries, does that make investing in Chinese companies less risky? For example, Google has twice (so far, at least publically) been the victim of a cyber hack and the evidence has led back to China. Does this mean that it’s safer to invest in Baidu than Google?
Hmm, makes you think.
(Disclosure: at time of this writing, I am not long either Google or Baidu although I have owned both stocks in the past)